Civilian Board Of Contract Appeals Electronic Docketing System vulnerabilities
4 known vulnerabilities affecting civilian_board_of_contract_appeals/electronic_docketing_system.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-54103P2CRITICALCVSS 9.8fixed in 2026-03-192026-06-18
CVE-2026-54103 [CRITICAL] CWE-306 CVE-2026-54103: The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civil
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
nvd
CVE-2026-54104P2HIGHCVSS 8.8fixed in 2026-03-192026-06-18
CVE-2026-54104 [HIGH] CWE-602 CVE-2026-54104: The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civil
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
nvd
CVE-2026-54105P3MEDIUMCVSS 5.3fixed in 2026-03-192026-06-18
CVE-2026-54105 [MEDIUM] CWE-639 CVE-2026-54105: The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civil
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter
nvd
CVE-2026-54106P4MEDIUMCVSS 4.7fixed in 2026-03-192026-06-18
CVE-2026-54106 [MEDIUM] CWE-940 CVE-2026-54106: The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civil
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
nvd